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In the theory of testing for Markovian processes developed so far, exponentially timed internal actions 
are not admitted within processes. When present, these actions cannot be abstracted away, because 
their execution takes a nonzero amount of time and hence can be observed. On the other hand, 
they must be carefully taken into account, in order not to equate processes that are distinguishable 
from a timing viewpoint. In this paper, we recast the definition of Markovian testing equivalence 
in the framework of a Markovian process calculus including exponentially timed internal actions. 
Then, we show that the resulting behavioral equivalence is a congruence, has a sound and complete 
axiomatization, has a modal logic characterization, and can be decided in polynomial time. 

1 Introduction 

Markovian behavioral equivalences are a means to relate and manipulate formal models with an underly- 
ing continuous-time Markov chain (CTMC) semantics. Various proposals have appeared in the literature, 
which are extensions of the traditional approaches to the definition of behavioral equivalences. Marko- 
vian bisimilarity lfl4l [T3l 13 considers two processes to be equivalent whenever they are able to mimic 
each other's functional and performance behavior stepwise. Markovian testing equivalence [23 considers 
two processes to be equivalent whenever an external observer is not able to distinguish between them 
from a functional or performance viewpoint by interacting with them by means of tests and comparing 
their reactions. Markovian trace equivalence |T9l considers two processes to be equivalent whenever 
they are able to perform computations with the same functional and performance characteristics. 

The three Markovian behavioral equivalences mentioned above have different discriminating powers 
as a consequence of their different definitions. However, they are all meaningful not only from a func- 
tional standpoint fl7l[TTl l7ll. but also from a performance standpoint. In fact, Markovian bisimilarity is 
known to be in agreement with an exact CTMC-level aggregation called ordinary lumpability lfl4l [8ll. 
while Markovian testing and trace equivalences are known to be consistent with a coarser exact CTMC- 
level aggregation called T-lumpability [2j[3l- 

In this paper, we focus on the treatment of internal actions - denoted by z as usual - that are ex- 
ponentially timed. Unlike internal actions of nondeterministic processes, exponentially timed internal 
actions cannot be abstracted away, because their execution takes a nonzero amount of time and hence 
can be observed. To be precise, in lfl4l l6l[TTl the issue of abstracting from them has been addressed, but it 
remains unclear whether and to what extent abstraction is possible, especially if we want to end up with 
a weak Markovian behavioral equivalence that induces a nontrivial, exact CTMC-level aggregation. 

The definition of Markovian bisimilarity smoothly includes exponentially timed internal actions, by 
applying to them the same exit rate equality check that is applied to exponentially timed visible actions. 
Unfortunately, this is not the case with Markovian testing and trace equivalences as witnessed by the 
theory developed for them, which does not admit exponentially timed internal actions within processes. 
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When present, these actions must be carefully taken into account in order not to equate processes that 
are distinguishable from a timing viewpoint. As an example, given A 5j u G M>o, processes "<T,A>.0" 
- which can only execute an exponentially timed internal action whose average duration is 1 /A - and 
"<T,jU>.0" - which can only execute an exponentially timed internal action whose average duration 
is 1/jU - should not be considered equivalent if A > il, as the durations of their actions are sampled 
from different exponential probability distributions. Moreover, if they were considered equivalent, then 
congruence with respect to alternative and parallel composition would not hold. 

With the definition of Markovian testing equivalence given in (2l - which compares the probabilities 
of passing the same test within the same average time upper bound - there is no way to distinguish 
between the two processes above, as they pass with probability 1 the test comprising only the success 
state and with probability any other test, independent of the fixed average time upper bound. In this 
paper, we show that a simple way to distinguish between the two processes above consists of imposing 
an additional constraint on the length of the successful computations to take into account. 

For instance, if we take a test comprising only the success state, the two processes above pass the test 
with probability 1 for every average time upper bound if we restrict ourselves to successful computations 
of length 0. However, if we move to successful computations of length 1 and we use 1 / A as average time 
upper bound, it turns out that <T, A>.0 reaches success with probability 1 - as it has enough time on 
average to perform its only action - whereas <T,jU>.0 does not - as it has not enough time on average 
to perform its only action by the deadline. A similar idea applies to Markovian trace equivalence. 

After introducing a Markovian process calculus that includes exponentially timed internal actions 
(Sect. we present a new definition of Markovian testing equivalence that embodies the idea illustrated 
above (Sect. [3]>. Then, we show that (i) it coincides with the equivalence defined in [2] when exponen- 
tially timed internal actions are absent, (if) its discriminating power does not change if we introduce 
exponentially timed internal actions within tests, and (Hi) it inherits the fully abstract characterization 
studied in [2] (Sect. 0]). Furthemore, we show that it is a congruence with respect to typical dynamic 
and static operators (Sect. [5]) and has a sound and complete axiomatization for nonrecursive processes 
(Sect. [6]), thus overcoming the limitation to dynamic operators of analogous results contained in Q. Fi- 
nally, we show that it has a modal logic characterization (Sect. U}, which is based on the same modal 
language as H, and that it can be decided in polynomial time (Sect. [8]). 

2 Markovian Process Calculus 

In this section, we present a process calculus in which every action has associated with it a rate that 
uniquely identifies its exponentially distributed duration. The definition of the syntax and of the seman- 
tics for the resulting Markovian process calculus - MPC for short - is followed by the introduction of 
some notations related to process terms and their computations that will be used in the rest of the paper. 

2.1 Durational Actions and Behavioral Operators 

In MPC, an exponentially timed action is represented as a pair <a, A>. The first element, a, is the name 
of the action, which is T in the case that the action is internal, otherwise it belongs to a set Name v of 
visible action names. The second element, A G M>o, is the rate of the exponentially distributed random 
variable RV quantifying the duration of the action, i.e., Pr{RV < t} = 1 — e~^ ' for t € M>o- The average 
duration of the action is equal to the reciprocal of its rate, i.e., 1/A. If several exponentially timed actions 
are enabled, the race policy is adopted: the action that is executed is the fastest one. 
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The sojourn time associated with a process term P is thus the minimum of the random variables 
quantifying the durations of the exponentially timed actions enabled by P. Since the minimum of several 
exponentially distributed random variables is exponentially distributed and its rate is the sum of the rates 
of the original variables, the sojourn time associated with P is exponentially distributed with rate equal 
to the sum of the rates of the actions enabled by P. Therefore, the average sojourn time associated with 
P is the reciprocal of the sum of the rates of the actions it enables. The probability of executing one of 
those actions is given by the action rate divided by the sum of the rates of all the considered actions. 

Passive actions of the form <a, * v , > are also included in MPC, where w G R>o is the weight of the 
action. The duration of a passive action is undefined. When several passive actions are enabled, the re- 
active preselection policy is adopted. This means that, within every set of enabled passive actions having 
the same name, each such action is given an execution probability equal to the action weight divided by 
the sum of the weights of all the actions in the set. Instead, the choice among passive actions having 
different names is nondeterministic. Likewise, the choice between a passive action and an exponentially 
timed action is nondeterministic. 

MPC comprises a CSP-like parallel composition operator Q relying on an asymmetric synchroniza- 
tion discipline [5], according to which an exponentially timed action can synchronize only with a passive 
action having the same name. In other words, the synchronization between two exponentially timed 
actions is forbidden. Following the terminology of fl2l . the adopted synchronization discipline mixes 
generative and reactive probabilistic aspects. Firstly, among all the enabled exponentially timed actions, 
the proposal of an action name is generated after a selection based on the rates of those actions. Secondly, 
the enabled passive actions that have the same name as the proposed one react by means of a selection 
based on their weights. Thirdly, the exponentially timed action winning the generative selection and the 
passive action winning the reactive selection synchronize with each other. The rate of the synchroniza- 
tion is given by the rate of the selected exponentially timed action multiplied by the execution probability 
of the selected passive action, thus complying with the bounded capacity assumption lfl4ll . 

We denote by Act = Name x Rate the set of actions of MPC, where Name = Name v U {t} is the set of 
action names - ranged over by a, b - and Rate = R>o U {* w | w € K>o} is the set of action rates - ranged 
over by X,£l. We then denote by Relab a set of relabeling functions cp : Name — * Name that preserve 
action visibility, i.e., such that <p _1 (t) = {t}. Finally, we denote by War a set of process variables ranged 
over by X,Y. 

Definition 2.1 The set of process terms of the process language 3?J£ is generated by the following 
syntax: 



P ::= 


inactive process 


<a,X>.P 


exponentially timed action prefix 


<a,* w >.P 


passive action prefix 


P + P 


alternative composition 


1 P\\sP 


parallel composition 


1 p / H 


hiding 


1 P[<P] 


relabeling 


1 x 


process variable 


recX : P 


recursion 



where a € Name, 2,wS M>o, S,H C Name v , (p £ Relab, and X € War. We denote by P the set of closed 
and guarded process terms of . ■ 
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2.2 Operational Semantics 

The semantics for MPC can be defined in the usual operational style, with an important difference with 
respect to the nondeterministic case. A process term like <a, A>.0 + <a, A>.0 is not the same as 
<a,A>.0, because the average sojourn time associated with the latter, i.e., 1/A, is twice the average 
sojourn time associated with the former, i.e., 1/(A In order to assign distinct semantic models to 

terms like the two considered above, we have to take into account the multiplicity of each transition, 
intended as the number of different proofs for the transition derivation. The semantic model [[P]] for a 
process term P G P is thus a labeled multitransition system, whose multitransition relation is contained 
in the smallest multiset of elements of P x Act x P satisfying the operational semantic rules of Table Q] 
({_ -—f _} denotes syntactical replacement; {| , |} are multiset parentheses). 

We observe that exponential distributions fit well with the interleaving view of parallel composition. 
Due to their memoryless property, the execution of an exponentially timed action can be thought of as 
being started in the last state in which the action is enabled. Due to their infinite support, the probability 
that two concurrent exponentially timed actions terminate simultaneously is zero. 

The CTMC underlying a process term P G P can be derived from [[P]] iff this labeled multitransition 
system has no passive transitions, in which case we say that P is performance closed. We denote by P pc 
the set of performance closed process terms of P. 



2.3 Exit Rates of Process Terms 

The exit rate of a process term P G Pis the rate at which P can execute actions of a certain name a G Name 
that lead to a certain destination DCP and is given by the sum of the rates of those actions due to the 
race policy. We consider a two-level definition of exit rate, with level corresponding to exponentially 
timed actions and level — 1 corresponding to passive actions: 



rate e (P,a,l,D) 



III AG 

£{|wg: 



^>0 



ap'GD.p- 
3P f eD.P- 



a.X 



a,* w 



>p>\} 
•P'll 



if 1 = 
if/ = -l 



where each summation is taken to be zero whenever its multiset is empty. 

By summing up the rates of all the actions of a certain level / that P can execute, we obtain the total 
exit rate of P at level I: 



rate t (P,l) 



£ rate (P,a,l) 

a&Name 



where: 



rate Q (P,a,l) = rate e (P,a,l, 



is the overall exit rate of P with respect to a at level /. 

If P is performance closed, then rate t (P,0) coincides with the reciprocal of the average sojourn time 
associated with P. Instead, rate (P,a, — l) coincides with weight(P,a). 



2.4 Probability and Duration of Computations 

A computation of a process term P G P is a sequence of transitions that can be executed starting from P. 
The length of a computation is given by the number of transitions occurring in it. We denote by ^f(P) 
the multiset of finite-length computations of P. We say that two distinct computations are independent 
of each other if neither is a proper prefix of the other one. In the following, we concentrate on finite 
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( PRE l) J! ( PRE 2) 

<a,X>.P >P <a,* w >.P >P 



a.X a,X 

P\ >P' P 2 >P' 

(ALTj) = (ALT 2 ) 



a.X a,X 

Pl+P 2 ^^P' Pi+Pl >P' 

a,X a.X 

Pi — —>P[ a£S P 2 — —>P 2 a^S 



(Pari) \ — (Par 2 ) 



(Syni) 



a.X a,* w 

Pi >P[ P 2 — — >P' 2 aes 

a.X- 



weight(P2.a) 

PihPi ^ >P[ \\sP 2 



a,* w a.X 

Pi — — >p[ p 2 >p' 2 aes 

PihPi ■ >P[\\ S Pi 

P l >P[ P 2 >p> 2 aes 

YN3J a,* norm ( wlW2aPl p 2) 

Pi \\sPz ■ >P[ WsP 2 

a,X a.X 

aeH P — —>P' a^H 



(HlDi) = (HID 2 ) 



P/H^^->P'/H P/H-—^P'/H 

a'X 

P >P' 

(Rel) — 



(p(a),X 

P[q>] 

P{recX:P^X\-^^P' 
(Rec) ^ 

recX:P >P' 



weight (P, a) = € R >0 \ 3P' € F.P—^P' |} 
norm(w u w 2 ,a,P u P 2 ) = weig Z\p u a) ' wei g htU,a) ■ (weight{Pi,a) + weight {P 2 , a)) 



Table 1 : Operational semantic rules for MPC 
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multisets of independent, finite-length computations. Below we define the probability and the duration 
of a computation c € ^f(P) for P G F pc , using _o _ for sequence concatenation and |_| for sequence length. 
The probability of executing c is the product of the execution probabilities of the transitions of c: 




We also define the probability of executing a computation in C C Iff (P) as: 



prob (C) 



£ prob(c) 

ceC 



whenever C is finite and all of its computations are independent of each other. 

The stepwise average duration of c is the sequence of average sojourn times in the states traversed 
by c: 







if | C | = 


time a {c) = < 


[ rate](Pfl) 0tlme ^ C ') 




if c-P >d 



where e is the empty stepwise average duration. We also define the multiset of computations in C C c €f{P r ) 
whose stepwise average duration is not greater than 6 G (M>o)* as: 



C< e = {\c EC | |c| < |0|AVi= l,...,\c\.time a (c)[i\ < 6[i] |} 



Moreover, we denote by C l the multiset of computations in C C (P) whose length is equal to / G N. 

We conclude by observing that the average duration of a finite-length computation has been defined as 
the sequence of average sojourn times in the states traversed by the computation. The same quantity could 
have been defined as the sum of the same basic ingredients, but this would not have been appropriate as 
explained in Ifl9ll2l. 



3 Redefining Markovian Testing Equivalence 

The basic idea behind testing equivalence is to infer information about the behavior of process terms by 
interacting with them by means of tests and comparing their reactions. In a Markovian setting, we are 
not only interested in verifying whether tests are passed or not, but also in measuring the probability with 
which they are passed and the time taken to pass them. Therefore, we have to restrict ourselves to P pc . 

As in the nondeterministic setting, the most convenient way to represent a test is through a process 
term, which interacts with any process term under test by means of a parallel composition operator 
that enforces synchronization on the set Name v of all visible action names. Due to the adoption of 
an asymmetric synchronization discipline, a test can comprise only passive visible actions, so that the 
composite term inherits performance closure from the process term under test. 

From a testing viewpoint, in any of its states a process term under test generates the proposal of an 
action to be executed by means of a race among the exponentially timed actions enabled in that state. If 
the name of the proposed action is T, then the process term advances by itself. Otherwise, the test either 
reacts by participating in the interaction with the process term through a passive action having the same 
name as the proposed exponentially timed action, or blocks the interaction if it has no passive actions 
with the proposed name. 
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Markovian testing equivalence relies on comparing the process term probabilities of performing suc- 
cessful test-driven computations within arbitrary sequences of average amounts of time. Due to the 
presence of these average time upper bounds, for the test representation we can restrict ourselves to 
nonrecursive process terms. In other words, the expressiveness provided by finite-state labeled multi- 
transition systems with an acyclic structure is enough for tests. 

In order not to interfere with the quantitative aspects of the behavior of process terms under test, we 
avoid the introduction of a success action ft). The successful completion of a test is formalized in the 
text syntax by replacing with a zeroary operator s denoting a success state. Ambiguous tests including 
several summands among which at least one equal to s are avoided through a two-level syntax. 

Definition 3.1 The set Tr of reactive tests is generated by the following syntax: 

T ::= s | T 

T' ::= <a,* w >.T \T' + T' 

where a € Name v and w E M>o. ■ 

Definition 3.2 Let P G P pc and T € Tr. The interaction system of P and T is process term P ||jv amev T G 
P pc and we say that: 

• A configuration is a state of |P \\Name v P]]> which is formed by a process and a test projection. 

• A configuration is successful iff its test projection is s. 

• A test-driven computation is a computation of [[P ||Ar amev P]]. 

• A test-driven computation is successful iff it traverses a successful configuration. 

We denote by y < ^'(P, T) the multiset of successful computations of P ||/v am£ . v T . ■ 

If a process term P G P pc under test has no exponentially timed T-actions as it was in (2], then for 
all reactive tests T £ Tr it turns out that: (i) all the computations in J^"^(P,T) have a finite length due 
to the restrictions imposed on the test syntax; (it) all the computations in y < io{P,T) are independent of 
each other because of their maximality; {Hi) the multiset ^"^{P, T) is finite because P and T are finitely 
branching. Thus, all definitions of Sect. l2.4l are applicable to y^(P,T) and also to =yV<e(P, T) for any 
sequence 6 € (M>o)* of average amounts of time. 

In order to cope with the possible presence of exponentially timed T-actions within P in such a 
way that all the properties above hold - especially independence - we have to consider subsets of 
y^<e (P, T) including all successful test-driven computations of the same length. This is also necessary 
to distinguish among process terms comprising only exponentially timed T-actions - like <T, A>.0 and 
<T ;i u>.0, with X > fx, mentioned in Sect. [T]- as there is a single test, s, that those process terms can 
pass. The only option is to compare them after executing the same number of T-actions. 

Since no element of ,5/"^ <e(P, T) can be longer than we should consider every possible subset 
y c if <e (P,T) for < / < However, it is enough to consider y^ <6 {P,T), as shorter successful 
test-driven computations can be taken into account when imposing prefixes of 6 as average time upper 
bounds. Therefore, the novelty with respect to (H is simply the presence of the additional constraint |0|. 

Definition 3.3 Let P\,P2€ P pc - We say that Pi is Markovian testing equivalent to P2, written Pi ~mt P2, 
iff for all reactive tests T G Tr and sequences 6 G (M>o)* of average amounts of time: 

prob{y^%{P u T)) = prob(y^ e (P 2 ,T)) u 
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Note that we have not defined a may equivalence and a must equivalence as in the nondeterministic 
case [11]. The reason is that in this Markovian framework the possibility and the necessity of passing 
a test are not sufficient to discriminate among process terms, as they are qualitative concepts. What we 
have considered here is a single quantitative notion given by the probability of passing a test (within 
an average time upper bound); hence, the definition of a single equivalence. This quantitative notion 
subsumes both the possibility of passing a test - which can be encoded as the probability of passing the 
test being greater than zero - and the necessity of passing a test - which can be encoded as the probability 
of passing the test being equal to one. 

Although we could have defined Markovian testing equivalence as the kernel of a Markovian testing 
preorder, this has not been done. The reason is that such a preorder would have boiled down to an 
equivalence relation, because for each reactive test passed by Pi within 6 with a probability less than the 
probability with which P2 passes the same test within 6, in general it is possible to find a dual reactive 
test for which the relation between the two probabilities is inverted. 

Another important difference with respect to the nondeterministic case is that the presence of average 
time upper bounds makes it possible to decide whether a test is passed or not even if the process term 
under test can execute infinitely many exponentially timed T-actions. In other words, T-divergence does 
not need to be taken into account. 

4 Basic Properties and Characterizations 

First of all, we observe that, whenever exponentially timed T-actions are absent, the new Markovian 
testing equivalence ~mt coincides with the old one defined in [2], which we denote by ~MT,oid- In the 
following, we use P pc v to refer to the process terms of P pc that contain no exponentially timed T-actions. 

Proposition 4.1 Let P U P 2 6 P pc , v . Then Pi ~ M t P> Pi ~MT,oid P>- ■ 

Then, we have two alternative characterizations of ~mt, which provide further justifications for the 
way in which the equivalence has been defined. The first one establishes that the discriminating power 
does not change if we consider a set Tr^i, of tests with the following more liberal syntax: 

T ::= s I <a,* w >.T \ T + T 
provided that by successful configuration we mean a configuration whose test projection includes s as 
top-level summand. Let us denote by ~MT,iib the resulting variant of Markovian testing equivalence. 

Proposition 4.2 Let Pi ,P 2 £ P pc . Then Pi ~ M T,iib Pi Pi ~mt Pi- ■ 

The second characterization establishes that the discriminating power does not change if we consider 
a set Tr jT of tests capable of moving autonomously by executing exponentially timed T-actions: 

T ::= s I T' 

T :;= <a,* w >.T\<z,X>.T \T' + T' 
Let us denote by ~mt,t the resulting variant of Markovian testing equivalence. 

Proposition 4.3 Let Pi,P 2 G P pc . Then Pi ~ MT T P 2 P { ~ MT p 2 . ■ 

Finally, we have two further alternative characterizations of ~mt coming from Q. The first one 
establishes that the discriminating power does not change if we consider the (more accurate) probability 
distribution of passing tests within arbitrary sequences of amounts of time, rather than the (easier to work 
with) probability of passing tests within arbitrary sequences of average amounts of time. 

The second characterization fully abstracts from comparing process term behavior in response to 
tests. This is achieved by considering traces that are extended at each step with the set of visible action 



M. Bernardo 



21 



names permitted by the environment at that step (not to be confused with a ready set). A consequence 
of the structure of extended traces is the identification of a set Tr c of canonical reactive tests, which is 
generated by the following syntax: 

T ::= s | <a,*i>T+ £ <&,*i>.<z,*i>.s 
be£-{a} 

where a G S, § C Name v finite, the summation is absent whenever $ = {a}, and z is a visible action 
name representing failure that can occur within tests but not within process terms under test. Similar 
to the case of probabilistic testing equivalence (9l [TO), each of these canonical reactive tests admits a 
single computation leading to success, whose intermediate states can have additional computations each 
leading to failure in one step. We point out that the canonical reactive tests are name deterministic, in the 
sense that the names of the passive actions occurring in any of their branches are all distinct. 

5 Congruence Property 

Markovian testing equivalence is a congruence with respect to all MPC operators. In particular, un- 
like (H, we have a full congruence result with respect to parallel composition. 

Theorem 5.1 Let P U P 2 £ P pc . Whenever Pi ~ M t P%, then: 

1. <a,X>.P\ ~mt <a,X>.P 2 for all <a,A> G Act. 

2. Pi +P -mt Pi + P and P + P ~ M t P + P> for all P € P pc . 

3. P \\ s P^ MT p 2 \\ s PandP\\ s P i ^mtPHsP* for all P G P and S C Name y s.t. P \\ S P,P 2 \\ S P G P pc . 

4. Pi/H ~ MT P 2 /H for all H C Name v . 

5. Pi [<p] ~mt P2W] for all (p € Relab. ■ 

It is worth stressing that the additional constraint on the length of successful test-driven computa- 
tions present in Def . 13.31 is fundamental for achieving congruence with respect to alternative and paral- 
lel composition. As an example, if it were <T,A>.0 ~mt <t,jU>.0 for X > 11, then we would have 
<T,A>.0 + <a,7>.0 t^mt <T,jU>.0 + <a,7>.0. In fact, when the average time upper bound is high 
enough, the probability of passing <a, *i>.s is nJ— for the first term, whereas it is — ^- for the second 
term. We also mention that Props . 1421 and 14 , 3 1 are exploited in the congruence proof for static operators. 

6 Sound and Complete Axiomatization 

Markovian testing equivalence has a sound and complete axiomatization over the set P pCi nrec of nonre- 
cursive process terms of P pc , given by the set &/mt of equational laws of Table [2] 

Apart from the usual laws for the alternative composition operator and for the unary static operators, 
unlike the axiomatization of O we now have laws dealing with concurrency. In particular, axiom iz^MT,5 
concerning the parallel composition of P = £, e/ <a,, A,>.P, and Q = Y,jeJ <bjif L j>-Qj ~ where / and J 
are nonempty finite index sets and each summation on the right-hand side of the axiom is taken to be 
whenever its set of summands is empty - is the expansion law when enforcing generative-reactive and 
reactive-reactive synchronizations. This axiom applies to non-performance-closed process terms too; 
e.g., the last addendum on its right-hand side is related to reactive-reactive synchronizations. 
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(< 4lT,2) 

(<*2&rr,3) 



A+ft = ^2 + Pi 
(P 1 +P 2 )+P3 = Pl + (P2 + Pl) 

P + = P 



mTA) 



Z<a,h>. I <bij,Lii,j>.Pij = <a, E A*>.E I <^j,^ My>A; 
(G/ ye/i fee/ ie/jeJi * e/ * 

if: / is a finite index set with |/| > 2; 

for all / € /, index set is finite and its summation is if 7, = 0; 

for all i\ , ii € / and & 6 Name: 

I {|^jl^,y = ^|} = I {|M/ 2 jl&w = &l} 



*mt,s) I <a,-,5<>-fl lis I <bj,ilj>.Qj = 



(^mt,6) 

(MflT,7) 



7e7 



I <«*,**>■ ft lis L <bj,fij>.Qj ) + 

kEl,a k <£S \ jeJ 



£ <b h ,fk>. I <a,,A ( >ft ||s 2ft + 

h€J,b h iS \iel J 

E t ,„ E. <*,3*-5asjfeKy>-(ftll*fi*) + 

Jfce/,a*€,S,Aft€R>o h€J,b h =a k ,n h =* Wh 

h I E. <^,P*- ;a0 gji S y>-(fltllsfi*) + 

2* 2w <^fe; *norm(v k ,w h ,a k ,P, 

k£l,a k eS,l k =*v k heJ,b h =a k ,fi h =*w h 



K^A^ft || s 

ie/ 

Q||sE<^,Ay>-fij 



£ <a k ,X k >.P k 

keI,a k £S 

I <b h ,fih>-Qh 

heJ,b h <£S 



*MT,8J 



Q||sO = o 



(M«T,9) 
(^4lT,lo) 
(MflT.ll) 
(MflT,12) 



0/// 

(<a~X>.P)/H 
\<a~X>.P)/H 
(ft+ft)/// 





<z,~X>.{P/H) 
<a,X>.(P/H) 
Pi/H + P 2 /H 



if a £ H 



(^4lT,13) 
(=^4lT,14) 
(MflT.ls) 



0[<p] 

(<a,A>.P)[9] 
(ft+ft)[<?l 





«p(a),A>.(P[<p]) 

ft[<p]+ft[<?>] 



Table 2: Equational laws for ~mt 
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Like in [2], the law characterizing ~mt is the axiom schema £/mt,4> which in turn subsumes the law 
<a, X\>.P+ <a,?i2>-P = <a,X\ + X 2 >-P characterizing Markovian bisimilarity. The simplest instance 
of axiom schema £/mt,4 is depicted below: 




As emphasized by the figure above, ~mt allows choices to be deferred in the case of branches that start 
with the same action name (see the two a-branches on the left-hand side) and are followed by sets of 
actions having the same names and total rates (see {<£>,/!>} after each of the two a-branches). 

Theorem 6.1 Let P U P 2 G P pc ,nrec- Then £/ MT \-P 1 =P z P { ~ MX P 2 . ■ 



7 Modal Logic Characterization 

Markovian testing equivalence has a modal logic characterization that, as in H, is based on a modal 
language comprising true, disjunction, and diamond. A constraint is imposed on formulas of the form 
01 V 02, which does not reduce the expressive power as it is consistent with the name-deterministic nature 
of branches within canonical reactive tests (see Sect. [4]). 

Definition 7.1 The set of formulas of the modal language ^# Jz?mt is generated by the following syntax: 

::= true | 0' 
f ::= (a)(j) | f V0' 

where a € Name y and each formula of the form 0i V 02 satisfies: 

init(tpi) n/mY(0 2 ) = 
with init((j>) being defined by induction on the syntactical structure of as follows: 

iniY(true) = 
init((a)(j)) = {a} 
mi/(0iV02) = initial) \J initio) m 

Probabilistic and temporal information do not decorate any operator of the modal language, but come 
into play through a quantitative interpretation function inspired by [16] that replaces the usual boolean 
satisfaction relation. This interpretation function measures the probability that a process term satisfies 
a formula quickly enough on average. The constraint imposed by Def. 17. II on disjunctions guarantees 
that their subformulas exercise independent computations of the process term, thus ensuring the correct 
calculation of the probability of satisfying the overall formula. In order to manage exponentially timed 
T-actions, unlike the length of the computations satisfying the formula has to be taken into account 
as well. 

Definition 7.2 The interpretation function [[.J^t °f -^-^mt over P pc x (K>o)* is defined by letting: 





' 


if 1 1 = A ^ true or 






|0| >OArate o (P,/mY(0)U{T},O) =0 




i 


if \0\ =OA0 =true 
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otherwise by induction on the syntactical structure of and on the length of 6 as follows: 



[truefcV^oQ) 



rate o (P,T,0) 



if 



[[(a)nS l (P,to6) 



rate o (P,T,0) 

E ™ teo (p A { a ,T},o) •[^]]mt( /V ' ) + 

■[[<a}0]]fi(P',e) if 



> r 



P — — >P' 



*- rate o (P{a,T},0) 

p >P' 



rate D (P,{<3,t},0) 



if 



rate o (P{a,T},0) 

oe)+p 2 -u^ e \p no . init .„t 2 od) 

+ ^ rateo (P,/mY(^V(|)2)U{T},0) • Ift V fa&( P 'i °) 



<t 



> t 



P >P> 



where P no -init-t is P devoid of all of its computations starting with a T-transition - which is assumed to be 
whenever all the computations of P start with a T-transition - and for j € {1,2}: 



_ rate o (P,init(<pj),0) 
Pi ~ ra*e o (P,im7(0iV^2)U{T},O) 



rate (P,init($j)ff) rate (P,init{ty\ V02)U{t},O) 



In the definition above, pj represents the probability with which P performs actions whose name is in 
init(<j)j) rather than actions whose name is in init(^k) U {t}, k = 3 — j, given that P can perform actions 
whose name is in init((j>i V fa) U {t}. These probabilities are used as weights for the correct account of 
the probabilities with which P satisfies only 0! or 2 in the context of the satisfaction of 0! V fc. If such 
weights were omitted, then the fact that <j>\ V 02 offers a set of initial actions at least as large as the ones 
offered by <j>\ alone and by 02 alone would be ignored, thus leading to a potential overestimate of the 
probability of satisfying (j>i V 02- 

Similarly, tj represents the extra average time granted to P for satisfying only (j>j. This extra average 
time is equal to the difference between the average sojourn time in P when only actions whose name is in 
init((j>j) are enabled and the average sojourn time in P when also actions whose name is in init((j>k) U {%}, 
k = 3 — j, are enabled. Since the latter cannot be greater than the former due to the race policy - more 
enabled actions means less time spent on average in a state - considering t instead of tj in the satisfaction 
of 0y in isolation would lead to a potential underestimate of the probability of satisfying §\ V 2 within 
the given average time upper bound, as P may satisfy <j>\ V 02 within t o 6 even if P satisfies neither <j>\ 
nor 02 taken in isolation within t o 0. 



Theorem 7.3 Pi ~mt Pi 



V0 e^i?MT.V0 g (R >0 y 



IImt 



\e\ 

MT 



(P2,6). 



8 Verification Algorithm 

Markovian testing equivalence can be decided in polynomial time. The reason is that Markovian testing 
equivalence coincides with Markovian ready equivalence and, given two process terms, their underlying 
CTMCs in which action names have not been discarded from transition labels are Markovian ready 
equivalent iff the corresponding embedded DTMCs in which transitions have been labeled with suitably 
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augmented names are related by probabilistic ready equivalence. The latter equivalence is decidable in 
polynomial time ifTBl through a reworking of the algorithm for probabilistic language equivalence |[T8ll . 

Following 1 19], the transformation of a name-labeled CTMC into the corresponding embedded name- 
labeled DTMC is carried out by simply turning the rate of each transition into the corresponding execu- 
tion probability. Then, we need to encode the total exit rate of each state of the original name-labeled 
CTMC inside the names of all transitions departing from that state in the associated embedded DTMC. 

Acknowledgment: This work has been funded by MIUR-PRIN project PctCo - Performability-Aware 
Computing: Logics, Models, and Languages. 

References 

[1] C. Baier, J. -P. Katoen, H. Hermanns, and V. Wolf, "Comparative Branching-Time Semantics for Markov 
Chains", in Information and Computation 200:149-214, 2005. 

[2] M. Bernardo, "Non-Bisimulation-Based Markovian Behavioral Equivalences ", in Journal of Logic and 
Algebraic Programming 72:3-49, 2007. 

[3] M. Bernardo, "Towards State Space Reduction Based on T-Lumpability -Consistent Relations ", in Proc. of 
EPEW 2008, Springer, LNCS 5261:64-78, Palma de Mallorca (Spain), 2008. 

[4] M. Bernardo, "Uniform Logical Characterizations of Testing Equivalences for Nondeterministic, Proba- 
bilistic and Markovian Processes", in Proc. of QAPL 2009, Elsevier, ENTCS, York (UK), 2009. 

[5] M. Bernardo and M. Bravetti, "Performance Measure Sensitive Congruences for Markovian Process Alge- 
bras", in Theoretical Computer Science 290: 1 17-160, 2003. 

[6] M. Bravetti, "Revisiting Interactive Markov Chains", in Proc. of MTCS 2002, Elsevier, ENTCS 68(5): 1- 
20, Brno (Czech Republic), 2002. 

[7] S.D. Brookes, C.A.R. Hoare, and A.W. Roscoe, "A Theory of Communicating Sequential Processes", in 
Journal of the ACM 31:560-599, 1984. 

[8] P. Buchholz, "Exact and Ordinary Lumpability in Finite Markov Chains", in Journal of Applied Probabil- 
ity 31:59-75, 1994. 

[9] I. Christoff, "Testing Equivalences and Fully Abstract Models for Probabilistic Processes", in Proc. of 
CONCUR 1990, Springer, LNCS 458:126-140, Amsterdam (The Netherlands), 1990. 

[10] R. Cleaveland, Z. Dayar, S.A. Smolka, and S. Yuen, "Testing Preorders for Probabilistic Processes", in 
Information and Computation 154:93-148, 1999. 

[11] R. De Nicola and M. Hennessy, "Testing Equivalences for Processes", in Theoretical Computer Sci- 
ence 34:83-133, 1983. 

[12] R.J. van Glabbeek, S.A. Smolka, and B. Steffen, "Reactive, Generative and Stratified Models of Proba- 
bilistic Processes", in Information and Computation 121:59-80, 1995. 
[13] H. Hermanns, "Interactive Markov Chains", Springer, LNCS 2428, 2002. 

[14] J. Hillston, "A Compositional Approach to Performance Modelling", Cambridge University Press, 1996. 
[15] D.T Huynh and L. Tian, "On Some Equivalence Relations for Probabilistic Processes", in Fundamenta 

Informaticae 17:211-234, 1992. 
[16] M.Z. Kwiatkowska and G.J. Norman, "A Testing Equivalence for Reactive Probabilistic Processes", in 

Proc. of EXPRESS 1998, Elsevier, ENTCS 16(2):1 14-132, Nice (France), 1998. 
[17] R. Milner, "Communication and Concurrency" , Prentice Hall, 1989. 

[18] W.-G. Tzeng, "A Polynomial-Time Algorithm for the Equivalence of Probabilistic Automata" , in SIAM 

Journal on Computing 21:216-227, 1992. 
[19] V. Wolf, C. Baier, and M. Majster-Cederbaum, "Trace Machines for Observing Continuous-Time Markov 

Chains", in Proc. of QAPL 2005, Elsevier, ENTCS 153(2):259-277, Edinburgh (UK), 2005. 



